FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbarnes
Staff
Staff
Article Id 328359
Description

This article describes the case when using a VIP, the scan of the VIP external address with nmap shows that many ports are open.

Scope FortiGate 7.0, 7.2, and 7.6.
Solution

Example VIP configuration:

 

config firewall vip

    edit "test-vip"

        set uuid e16d0128-b55a-51ee-3173-f768c070d037

        set extip 192.168.72.15

        set mappedip "192.168.32.15"

        set extintf "any"

    next

end

 

Example policy configuration:

 

    edit 5

        set name "test-vip"

        set uuid f8362f38-b55a-51ee-123b-5881aa9e1569

        set srcintf "port3"

        set dstintf "port2"

        set action accept

        set srcaddr "all"

        set dstaddr "test-vip"

        set schedule "always"

        set service "HTTP" "HTTPS"

        set utm-status enable

        set inspection-mode proxy

        set ssl-ssh-profile "CNSA-DI-Inbound-V3"

        set file-filter-profile "Monitor-Exec-And-Archives"

        set ips-sensor "CNSA-IPS"

        set application-list "CNSA-Block-Weak-SSL-TLS-and-Monitor"

        set logtraffic all

    next

end

 

Example nmap scan:

 

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-22 14:22 Eastern Standard Time

NSE: Loaded 156 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 14:22

Completed NSE at 14:22, 0.00s elapsed

Initiating NSE at 14:22

Completed NSE at 14:22, 0.00s elapsed

Initiating NSE at 14:22

Completed NSE at 14:22, 0.00s elapsed

Initiating ARP Ping Scan at 14:22

Scanning 192.168.72.15 [1 port]

Completed ARP Ping Scan at 14:22, 0.10s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 14:22

Completed Parallel DNS resolution of 1 host. at 14:22, 0.01s elapsed

Initiating SYN Stealth Scan at 14:22

Scanning 192.168.72.15 [65535 ports]

Discovered open port 80/tcp on x.x.x.x

Discovered open port 443/tcp on x.x.x.x

SYN Stealth Scan Timing: About 21.64% done; ETC: 14:24 (0:01:52 remaining)

SYN Stealth Scan Timing: About 51.10% done; ETC: 14:24 (0:00:58 remaining)

Discovered open port 8015/tcp on x.x.x.x

Discovered open port 8010/tcp on x.x.x.x

Completed SYN Stealth Scan at 14:24, 103.10s elapsed (65535 total ports)

Initiating Service scan at 14:24

Scanning 4 services on 192.168.72.15

Service scan Timing: About 25.00% done; ETC: 14:27 (0:02:18 remaining)

 

It is necessary to set the specific ports in the VIP:

 

config firewall vip
    edit "test-vip"
        set extip x.x.x.x
        set mappedip x.x.x.x
        set extintf "any"
        set portforward enable
        set extport 443 <--
        set mappedport 443 <--
    next
  end

 

It can be necessary to set many VIPs if many ports open to the same address are desired.